search

jellyfin / jellyfin-web

Web Client for Jellyfin
https://jellyfin.org
GNU General Public License v2.0
2.37k stars 1.26k forks source link

Able to access and play not shared library with direct links. #1139

Open MariusSp opened 4 years ago

MariusSp commented 4 years ago

Describe the bug EDIT I reproducted it with just direct links, no Ombi needed. Adjusted the bug report.

If a user clicks on a direct link itemdetail.html link in Ombi, he is able to access files which are not shared with the user.

I have to trigger the bug with Ombi, but after the initial trigger it works with every direct link like adress/web/index.html#!/movies.html?topParentId=SOMEID or adress/web/index.html#!/itemdetails.html?id=SOMEID. Therefore I'm not sure if it is a Jellyfin bug or a Ombi bug (maybe something with the API connection?).

Ombi scans always all libraries from the linked Jellyfin instance (no option to select libraries). Therefore it generates links to itemdetail.html from libraries that the potential user has to access to. (that's an Ombi issue, I will create an issue for that at their repo)

The user is (after login/authentification and redirection to the jellyfin home page) able to reload the page and then view the page and play the file even if the linked Library (or single item) is not shared with the user.

To Reproduce

  1. Click on a "View in Emby" link in Ombi (displayed for items on the serach or requests page), which are found in any jellyfin library) any direct link to a not shared item.
  2. Login in the new window/tab with an user who should not be able to view the library/item.
  3. Now you get redirected to the home page
  4. go back to the Ombi page (previous tab) and click on the "View in Emby" link again. Keep the redirected tab open and open the direct link in a new tab again. Now the page displays and the user is able to play the item in the browser.

Optional: Now you are able to send the user a direct link to a library and he is able to browse it and play items.

Demonstration Video (created with the ombi approach, works with direct link too though)

Expected behavior The user should always get redirected to his home page and never be able to view those sides and play the items.

Logs

Pastebin Log

System (please complete the following information):

stale[bot] commented 4 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh by adding a comment or commit. Stale issues close after an additional 14d of inactivity. If this issue is safe to close now please do so. If you have any questions you can reach us on Matrix or Social Media.

MariusSp commented 4 years ago

can we not let security issues get stale.